Patient-centered E-mail: Developing the Right Policies

by Gretchen Murphy, MEd, RHIA

Patients and providers are increasingly communicating via e-mail. But healthcare organizations are slow in adopting policies to address important issues and manage this new communication form. Here's what you can do to develop some measures.

Like most industries, healthcare is undergoing unprecedented change. As such, it is struggling to understand the effective use of technology in supporting its current and future states. With the Internet and its derived technologies now added to the paradigm, the healthcare industry has become caught in a fundamental and irrevocable change in the way it conducts business processes.¹

Where e-mail is available, we spend less time on the phone. We use it to set up and confirm meetings; we send attachments to colleagues for comment and mutual work. We even conduct meetings via e-mail. Virtually all organizations today are conducting business via e-mail. This is business communication at the start of the new millennium. 

 For HIM professionals, however, e-mail presents challenges as well as benefits. One particular facet of the new technology that we haven't caught up with yet is e-mail as clinical communication among providers and between providers and their patients. 

 HIM professionals have always worked to ensure that the best interests of patients are kept in mind, especially in terms of confidentiality and security. Now, patients have become our customers in a new way. By one estimate, more than 40 percent of patients in the United States use e-mail to contact health professionals.² Increasingly, e-mail is taking the place of phone calls to reach patients. It empowers the patient in new ways and brings new expectations as well. 

While we want to serve customers in the best way possible, we need a framework in this area. We want good practice to drive the technology-not the technology to drive the practice. We need answers to fundamental questions like: 

• what role does electronic mail play in health information management? 
• what are the actions that ought to be under way to use it effectively? 
• how can we learn from others' experience? 
• how can we lead in the practice environment? 

How do we, as HIM professionals, provide leadership and promote realistic management of this new tool for provider to patient communication? That's the question this article attempts to answer. We need to address the confidentiality and security aspects of e-mail between provider and patient, including informed consent. We need new business processes to manage the provider-to-patient e-mail communication function itself. We need to modify HIM practice to accommodate e-mail as clinical documentation appropriate for patient records. And we must continue to develop knowledge and understanding of the technology involved. 

Technology, Laws, and Standards

During the l990s, the adoption rate of e-mail has been extraordinary. According to industry estimates, by the year 2001, more than half the US population will be using e-mail.³ In 1998, 33 percent of 10,000 physicians polled used e-mail to communicate with their patients-a 200 percent increase over the year before.⁴

In healthcare, e-mail offers improved access to health services and efficiency of communication. What's more, it can be useful in patient care because providers must deal with an increasing number of nonemergency scenarios each day. The asynchronous nature of e-mail makes it ideal for managing care through multidisciplinary teams and other settings.⁵ It also is the first medium to offer patients a way to easily contribute directly to their own records. 

Yet we remain cautious. While advances have been made in encryption, experts contend that Internet-based e-mail still poses security risks.⁶ The technical options for forwarding and sharing messages allow e-mail users to send and receive information at the touch of a button, and errors in transmission can occur. Clinicians worry that patients may not use it appropriately, with the result that important messages may be missed. 

Despite such concerns, providers are eager to use e-mail. In fact, organizations continue to be caught between underdeveloped policies and procedures and customer expectations in this area. 

At the same time, laws are also evolving. Not only is electronic mail discoverable for legal purposes, but the proposed security rules for the Health Insurance Portability and Accountability Act (HIPAA) call for detailed attention to security issues, including e-mail. The current and future environment will need thoughtful monitoring as health information managers prepare for and implement the new activities.

Accreditation and Standards-What Role Do They Play?

With the advent of HIPAA, healthcare organizations are focusing on understanding the new requirements of secure handling of health information. While we have developed confidentiality and security policies for licensing and accreditation purposes for many years, the new challenges are unique. The requirement to transfer electronically stored health information in a secure manner has healthcare professionals scrambling to understand how to establish both the policy and operations level and the technical infrastructure required to support it. 

In the past two years, standards development organizations have focused on a number of security issues. Of these organizations, the American Society for Testing and Materials (ASTM) has published several standards to assist organizations in developing policy and technical approaches to make this practice happen. For example, Standard E1869-97 calls for encryption for electronic mail. While this and other ASTM standards documents are continuously developing, they offer an initial reference point for organizations.⁷ For more information, visit the ASTM Web site at www.astm.org.

Provider-to-Patient E-mail and the Clinical Record

A major concern for HIM professionals is the effect of e-mail on the patient record. What should be done with it? How should it be maintained? 

Because e-mail serves as a way for physicians to direct patients on their individual care plans as well as a way for patients to respond about their treatments, this information becomes part of the clinical record. 

Providers and others who work with e-mail recommend including it in the patient record. One provider includes e-mail directions to patients on the back of his business card, including brief instructions, recommended cautions, and a notice that he may save e-mail in his patients' records.⁸

 How organizations evaluate this recommendation and others like it depends on culture and organizational structure. Integrated delivery systems and managed care environments that rely on intranets to coordinate patient care and health services may expect more pressure to formalize e-mail in clinical record business processes. Adding e-mail to patient records as additional interfiled paper in the day-to-day operations of managing patient record systems is the challenge. 

How Can We Learn From Others' Experience?

How can we learn from others' experience in forging policies regarding patient-provider e-mail? Some good resources are already in place today. The most notable commentary was issued by a task force that developed the basis for a position statement adopted by the American Medical Informatics Association (AMIA) in l998. This position paper offers extensive suggestions on aspects of e-mail in the clinical environment. 

We see the influence of this work on several healthcare organization's Web sites. Both the Stanford Medical Group and Kaiser Permanente provide patients with instructions on how to use e-mail to communicate with providers.^{9, 10} Other organizations, such as Partners HealthCare System, are working to establish policies to assist their patients in moving forward with secure e-mail.¹¹

 The Community Health Information Technology Alliance (CHITA)-Agora model policy, developed through the Foundation for Health Care Quality in their Three-State Privacy project, consolidates contributed ideas from these sources as well as from Washington state members of the project. Recently funded by a Robert Wood Johnson grant to expand the project to five states, the current effort is known as the Healthkey Project and is committed to demonstrating secure e-mail communication through model privacy practices and pilot site evaluation.¹² "E-mail Draft Policy," [below] features the draft model policy currently under review by project participants and includes specific language on provider-to-patient e-mail. 

Finally, the updated AHIMA practice brief published in the February 2000 Journal of AHIMA provides specific guidelines for health information managers.¹³ The brief draws on a number of references, including the AMIA position paper, and provides comprehensive direction to practitioners. 

In reviewing common policy elements in these and other sources, we can identify a number of areas where organizations have developed specific policy and procedure components. In "Patient-to-Provider E-mail Policy Provisions and Elements," [below] we can see six detail areas that are addressed within the broad tasks of confidentiality-based informed consent, operational directions for e-mail use, and clinical record applications. Details in one or more policies and procedures include the following recurring themes: 

• confidentiality policies are updated to include e-mail communication 
• patient informed consent for using e-mail to communicate with their provider is in place 
• patient instructions on using e-mail effectively are provided via Web sites as well as within consents 
• established boundaries for e-mail use are stated by policy and included in communications to patients 
• the patient record is cited as the repository of e-mail communication between patient and provider 
• technical security provisions are called for as the basic foundation to moving ahead with provider-patient e-mail 

The matrix illustrates these policy topics with a cross reference to sources. Within these six areas, we can see common focus areas as well as the diversity in application. 

Forming an Action Plan

What should you do now? Even though your individual organization may not officially sanction provider-to-patient e-mail, chances are it's happening. Reports of providers who communicate with their patients by e-mail are growing.¹⁴ Regardless of policy, health information departments are likely receiving copies of e-mail correspondence with requests to file them in the record. While we may continue to resist, legal advice and leaders in our field recommend we find a way to accommodate this new form of documented clinical communication. Consider starting on the following: 

• First, update current confidentiality policies to incorporate references to e-mail if they are not already in place. This may be as simple as modifying current language to specify that patient-identifiable health information in any form (examples included) is maintained in a confidential manner. You might also make reference to organizational policy in the material developed for patient communication. If a policy is not yet in place, develop a new one that specifically addresses e-mail users, authentication, confidentiality, security provisions, and usage rules. Patient role may be included or may be a separate policy. 
• Second, develop a notice and consent form for patients who wish to use e-mail to communicate with their providers. The notice should advise patients of the confidentiality policy and security issues and inform them about who will see their health information. It also should clearly point out the need for patients to adopt privacy practices. See the notes at the end of this article for examples that charge patients to handle their information in a secure manner. If your organization is working on Web-based access for patients, connect with that effort. Visit the Web sites for the resources listed in our matrix for examples. 
• Third, prepare directions for patients and providers on how to use e-mail for care purposes and develop the procedures required to support them. This is particularly important where e-mail messages serve as documentation in the clinical record. Directions should include information on how patients are to identify themselves, the specific kind of messages that are appropriate for e-mail, and how patients should escalate issues when necessary. Cautions against using e-mail for emergency messages and sensitive health problems should be included. Organizations may begin with inviting patients to communicate on topics such as making or confirming appointments or requesting pharmacy prescription refills. It should also be made clear to staff that e-mail is discoverable for legal purposes. 
• Fourth, work with clinical and operational staff to define the usage boundaries for electronic mail. How information is shared and forwarded and rules for handling it should conform to your organization's role-based access guidelines. Organizational security frameworks that designate clinical staff access apply to e-mail as well. Where e-mail is screened for triage purposes, staff training to process and refer messages and confidential handling of e-mail printouts may be needed. 
• Fifth, work with the medical record committee to reach consensus about placing the e-mail into the patient record. Emerging recommendations call for including e-mail to be placed in the record when it refers to specific healthcare directions or response to treatment. But when e-mail communication becomes voluminous, operational costs will be an issue. Where e-mail can be stored electronically and retrieved as part of the patient's electronic health record, new work will be required to determine the most effective way to maintain and retrieve the information. If including e-mail as clinical documentation in the patient record is optional, criteria for inclusion might be patterned after telephone encounter documentation guidelines. The matrix consensus is not clear in this area. In some cases, it has not yet been addressed. 
• Finally, develop technical security measures that address e-mail to meet the HIPAA requirements. Note the attention paid to encryption on the matrix. Technical security practices focus on user ID requirements and remote access protection as well. As a targeted practice area for HIM professionals, security policies and technical provisions continue to expand current HIM roles. 

Organizational Security Framework

From the broad perspective, security provisions are built from privacy principles, organizational policies, and security practices to support health information business processes. Policy development, revised procedures, and applied technical provisions are certainly a priority for healthcare organizations and health information managers today. 

 The unique aspect of patient-to-provider e-mail creates both opportunity and challenge on a day-to-day basis. The role of the patient record in documenting the care process is being expanded as new forms of documentation evolve. By monitoring the potential in these communication options and assessing organizational preparedness, we are better prepared to propose collaborative projects to support change in a planned manner. 

Patient-to-Provider E-mail Policy Provisions & Elements

E-mail Draft Policy

Notes

1. Kohn, Deborah. "Preparing the Environment for Internet-Derived Technologies." In Electronic Health Records: Changing The Vision. Murphy, G.F., Hanken, M.A., Waters, K.A., eds. Philadelphia: W.B. Saunders, l999, p. 144. 
2. "E-mail Contact Between Doctor and Patient." Medical Practice Communicator 6, no. 4 (1999): 5. Available at http://www.medscape.com/. 
3. Sands, Daniel Z. "Guidelines for the Use of Patient Centered E-mail." White paper. Massachusetts Health Data Consortium, l999. Available at http://www.mahealthdata.org/. 
4. Ibid. 
5. Mandl, K.D., Kohane, I.S., Brandt, A.M. "Electronic Patient Physician Communication: Problems and Promises." Annals of Internal Medicine 129 (1998): 495-500. 
6. Navighurst, Craig. "Unlocking the Mailbox." American Medical News, September 13, l999. 
7. "Standard Guide for Confidentiality, Privacy, Access, and Data Security Principles for Health Information Including Computer-based Patient Records." ASTM standard no. E1869-97. Available at the ASTM Web site at http://www.astm.org/. 
8. "Danny's Clinical Use of E-mail Page." Available at http://clinical.caregroup.org/ePCC/. 
9. "Electronic Mail Services." Available at the Stanford Medical Group Web site at www.med.stanford.edu/shs/smg/email.html. 
10. "Doctor Appointments and Advice Available Online." Available at the Kaiser Permanente Web site at www.kaiserpermanente.org/locations/colorado/newsroom/releases/online.html. 
11. "Guidelines for Clinical Electronic Mail Communication." Partners HealthCare draft policy, May 3, 1999. 
12. CHITA-Agora Project Privacy Task Force. "Electronic Mail (E-MAIL) Draft Policy 1.2." September 6, l999. 
13. Hughes, Gwen. "Practice Brief: E-mail Security (Updated)." Journal of AHIMA 71, no. 2 (2000): insert. 
14. Mandl, K.D., Kohane, I.S., Brandt, A.M. "Electronic Patient Physician Communication: Problems and Promises." 

Gretchen Murphy is director of the health information administration program at the University of Washington, Seattle, and a member of the Journal of AHIMA's editorial advisory board. She also serves as chair of the CHITA-Agora privacy task force, Healthkey Project, Foundation for Healthcare Quality. She can be reached at gcmurphy@uwashington.edu.